THE BOTTOM LINE
- Safety Overrides Access: Companies in safety-critical sectors like aviation can successfully argue that their confidential ‘no-blame’ incident reporting systems are protected from full GDPR access requests, prioritizing public safety over an individual’s right to see the full report.
- Data Rights Are Not Absolute: An individual’s right of access under Article 15 of the GDPR is not unconditional. It can be legally restricted when it conflicts with overriding public interests, such as aviation safety, or infringes on the rights and freedoms of others involved in the report.
- A Key Distinction: While the analytical content of an incident report can be withheld, companies must still provide access to the individual’s direct personal data (e.g., name, contact details, date of birth) contained within it. The court draws a clear line between verifying basic identity data and accessing the full investigation.
THE DETAILS
This case centered on a direct conflict between an individual’s fundamental right to access their personal data under the GDPR and the legally protected confidentiality of an aviation safety report. After being seriously injured in a parachute jump, the petitioner requested a copy of the incident report filed with the Royal Netherlands Aeronautical Association. He argued the report contained his personal data—from his name and physical attributes to observations about his actions and injuries—and that under Article 15 of the GDPR, he had a right to access it. The association refused, arguing that the integrity of its safety reporting system, which relies on confidential, no-blame submissions, was paramount.
The court sided with the association, emphasizing the primacy of specific safety regulations. It highlighted that EU Regulation 376/2014 governs aviation incident reporting with the sole purpose of preventing future accidents, not to assign blame or determine liability. To encourage open and honest reporting from staff without fear of reprisal, this system depends on strict confidentiality. The court ruled that this specific legal framework creates a legitimate exception to the GDPR’s general right of access, as permitted under Article 23 of the GDPR, to protect the crucial public interest of aviation safety. Disclosing full reports for liability purposes would fundamentally undermine this system.
However, the court’s decision was not a blanket denial. It drew a careful line, ordering a partial disclosure. The request for the full report, including the analysis and description of the incident, was denied to protect the confidential nature of the safety investigation. But the court affirmed the petitioner’s right to access and verify his own direct, identifying personal data. It therefore ordered the association to provide a copy of the report’s cover sheet, which contained the petitioner’s name, contact details, and physical data. This nuanced ruling demonstrates that while the core of a confidential safety analysis is protected, a company’s obligation to allow individuals to review their basic personal information remains intact.
SOURCE
Source: Rechtbank Zeeland-West-Brabant
